And these new variants on old stories proliferate throughout the various versions of each character arc – variations on the same themes, but instantly recognizable to long-time fans and easily remembered by new ones. Tony Stark’s updated Iron Man origin story in the first Iron Man movie is one such example; the supervillain Mystique’s origin in the X-Men series of films (not part of theMCU) is another.

That isn’t to say that there’s no innovation taking place – Frank Miller’sThe Dark Knight Returnsradically migrated the general public perception of Batman away from the 1960s comedy paradigm popularized by the camp television series towards a much darker interpretation of Bruce Wayne’s tortured transformation into the Batman over the course of two (soon to be three) successive reboots of the cinematic portrayal of the classic superhero. Alan Moore’sWatchmencleverly subverted the tried and true formulas of both superheroes and their supervillain nemeses, transforming one into the other in a paired set of character inversions which are amongst the strongest and most memorable in all forms of literature. With Marvels, Alex Ross and Kurt Busiekbrought us back to the beginnings of the character arcs of many of the major Marvel superheroes – giving us a very different perspective on those beginnings – resulting in a familiar, yet greatly altered perception of their stories and significance. Ross and Mark Waid did the same forSuperman, Wonder Woman, and Captain Marvel (along with several other nearly-forgotten characters) in DC’s seminal Kingdom Come series.

And then Mark Millar showed up, and subverted everything we thought we knew about the superhero/supervillain dichotomy in his ‘Millarworld’ milieu, as well as in more established Marvel and DC franchises. Millar made use of many of the same basic concepts mixed in with moreextreme characters and circumstances, leading to outcomes both familiar in theme but wildly varying in details.

Depending upon your inclinations and sensibilities, the thematic and archetypal similarities between the story arcs of comic books and graphic novels and the state of security of many Internet-connected networks and properties may be either amusing, depressing, or strangely compelling. Or some combination of the three.

And as it turns out, it’s considerably easier to become a supervillain on the Internet than it ever has been in comics:

Step 1: Possess – or Invent – a Motive.

Whether it’s ideology, greed, online gaming disputes, or pure nihilism (e.g., ‘for the lulz’), for all practical purposes, there’s a near-infinitude of miscreants or potential miscreants on the Internet (latest user population estimate: 3 billion and counting) today, and many of them have a near-infinite set of axes to grind, either real or imaginary. No matter an organization’s industry, vertical, focus, market, services, or user population, somewhere out there, there’s someone who can somehow benefit from disrupting the availability of its Internet presence – it doesn’t matter who or why, it’s just enough to know that they’re out there, and they’re apparently a permanent feature of life on the Internet, reaching back into its very own Cold War-/ARPANET/IRC-driven origin story, seemingly destined to always be with us.

Step 2: Develop – or Acquire – the Means.

Whether a given archenemy is a network- and applications-savvy polymath or a clueless script kiddie barely able to click a mouse or maneuver across a touchscreen, there are superpowers out there waiting to be invented, used, or reused in the service of disruption. The real innovators (thinkLex Luthor or Victor von Doom) are relatively rare; they develop new DDoS attack methodologies, sell them onwards or utilize them personally to accomplish their own individual goals (generally extortion, a diversion to mask online espionage of one form or another, or ideological in nature), and then those new methodologies inevitably make their way downstream into weaponized cloud-based DDoS ‘booter’ or ‘stresser’ tools, allowing the least technically-inclined aspiring Doctor Impossibles to make use of highly effective DDoS techniques such as link-saturating reflection/amplification attacks or more subtle TCP connection-oriented attack methodologies, all through an accessible (if not aesthetically pleasing) Web GUI interface. Push a few buttons, move a few sliders, pay up with a few (likely stolen) Bitcoins or credit cards, and a new Internet supervillain is born!

Step 3: Identify the Opportunity.

Unfortunately, the industry best current practices (BCPs) for maximizing the availability of network elements, servers, application stacks, services, et. al. which have been developed and made publicly available and are continually evangelized by many participants in the global operational security community, including Arbor ASERT, are more honored in the breach than in the observance. As a result, even very well-understood, basic DDoS attack methodologies all too often succeed even against large, well-resourced organizations with Internet-facing properties which are crucial to their revenue streams, logistics, and brand reputation. This state of affairs works in favor of all levels of attackers, who often don’t even bother to perform much (if any) reconnaissance before launching DDoS attacks against their intended targets.

The more effective Internet supervillains with the longest-running criminal careers are those who practice good tradecraft, who don’t risk gaining too much negative attention from various combinations of law enforcement agencies, and who know when to fade into the background until the next target of opportunity presents itself. And then there are those who adopt a flashy moniker, who’re extremely profligate with their attack campaigns, who threaten DDoS attacks of the greatest sophistication and largest attack traffic volumes – but who in reality are utilizing the same tried-and-true attack methodologies pioneered by the original innovators, slowly expanding their mastery of entry-level ‘booter’/‘stresser’ services while becoming giddy with their newfound, yet circumscribed, superpowers. For this category of Internet supervillains, small initial successes often boost their self-confidence to unjustified levels, and lead them into an overly profligate series of attacks against high-profile institutions which is almost certainly going to bring a lot of unwanted (from the attacker’s point of view) official scrutiny.

For the last year or so, an individual or organization calling itself DD4BC (‘DDoS for Bitcoins’) has been been rapidly increasing both the frequency and the scope of its DDoS extortion attempts, shifting target demographics from low-level Bitcoin exchanges to online casinos and betting shops and, most recently, to prominent financial institutions across Europe, Asia, Australia, and New Zealand. DD4BC’s modus operandi is generally to launch a relatively small 10gb/sec – 15gb/secreflection/amplification DDoS attacks against the chosen target, then email an extortion demand for between 15 and 100 Bitcoins (whatever they believe the target in question may be willing to pay) to an official contact address at the targeted organization. These extortion demands typically claim that DD4BC have 400gb/sec – 500gb/sec of DDoS attack capacity at their disposal, and give the targeted organization 48 hours to pay up, else they threaten to unleash overwhelming DDoS attacks against the target in the event of non-payment.

As of this writing, we’re unaware of any organization which has actually given in to DD4BC’s extortion demands, so we’re unsure of how lucrative DD4BC’s DDoS-driven extortion campaigns actually are for the perpetrator(s). What we have observed is that to date, DD4BC seem not to have generated any DDoS attacks in excess of a few tens of gb/sec – which, sadly, have been sufficient to at least initially disrupt the availability of many targeted organizations due to the all-too-commonplace lack of adequate preparations on the part of the defenders. However, the targets and their ISP and MSSP partners have generally moved quickly to successfully mitigate the DD4BC DDoS attacks, not least because DD4BC are simply making use of well-known DDoS attack methodologies such as ntp, SSDP, and WordPressXML-RPC reflection/amplification attacks, plus the occasional SYN-flood (one of the original DDoS attack methodologies in use on the then-nascent commercial Internet, first put to use in 1995). The WordPress reflection/amplification attack, first described in early 2014, seems to be the latest addition to their repertoire.

The ntp reflection/amplification attacks utilized by DD4BC have been seen on the public Internet for the last several years, achieving mainstream popularity in late 2013/early 2014, with Arbor publishing an analysis of the attacks and detailed mitigation instructions in mid-2014. SSDP ascended into popularity in mid-2014, and Arbor included descriptions of and effective mitigation techniques for this DDoS attack methodology in updates to our earlier publications on the general topic of reflection/amplification DDoS attacks.

In short, DD4BC appear to be utilizing commercial ‘booter’/’stresser’ services, and are slowly expanding their mastery of these entry-level attack-generation systems to launch attacks employing well-known methodologies with equally well-known mitigation techniques available through commercial solutions and services such as Arbor’s Peakflow SP/TMS,APS, and Arbor Cloud, as well as a variety of network infrastructure-based tools and techniques recommended by Arbor to network operators of all varieties.

The secret identities and motivations of aspiring Internet supervillains may be of prurient interest to both targets and bystanders, but the actual details aren’t actually necessary for organizations with significant Internet-facing properties to successfully defend against the well-known and readily-mitigated DDoS attack methodologies utilized by lower-tier miscreants, as well as the increasingly sophisticated attacks launched by more skilled attackers.

During the most recent upsurge in DD4BC activity, we’ve worked with targeted organizations who hadn’t yet incorporated the relevant best current practices (BCPs) nor followed the mitigationrecommendations made by Arbor and other participants in the global operational security community, and who therefore were initially affected by DD4BC’s use of these well-known DDoS attack methodologies. However, it was relatively easy to bring them up to speed very quickly, with both on-premise and ISP/MSSP DDoS defense solutions, services , and techniques which effectively mitigated the attacks against these organizations.

Conversely, we also collaborated with organizations – both service providers of various stripes as well as enterprises in various verticals – who’d already incorporated Arbor’s recommended BCPs and detection/classification/traceback/mitigation techniques during the initial upsurge in ntp reflection/amplification attacks in early 2014, SSDP reflection/amplification attacks in mid-2014, as well as those we’d been assisting in mitigating DNS, SNMP,chargen, and other reflection/amplification attacks over many years. Because these organizations have kept up withthe latest BCPs and recommended mitigation strategies and have done so for many years, they and their customers/users were almost completely unaffected by the standard reflection/amplification attacks launched against them by DD4BC, who soon decided to switch their focus to less prepared and capable targets.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Comments

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com